A new survey by Gartner, Inc. reveals a critical disconnect between cybersecurity investments and board-level confidence, with 90% of non-executive directors (NEDs) saying they lack a clear measure of confidence in the value delivered by cybersecurity initiatives. Only 10% of respondents believe their organisations have struck the right balance between protection and cost.
The findings, from the 2026 Gartner Board of Directors Survey, were gathered between April 14 and May 22, 2025, from 330 non-executive directors across North America, Latin America, Europe and Asia Pacific, spanning both private and public companies.
Cybersecurity scepticism: A resource for change
While the numbers indicate widespread doubt, Gartner suggests this scepticism is not necessarily a setback. Instead, it could be a strategic resource for organisations willing to reframe the way cybersecurity value is presented and understood.
According to Kristin Moyer, Distinguished VP Analyst at Gartner, boards continue to struggle to connect cybersecurity investments with tangible business outcomes.
“Dashboards and compliance updates can confuse rather than reassure, leaving NEDs uncertain about whether their organisation is truly more secure. Sense-maker CIOs and CISOs earn board consensus on right levels of protection and cost by translating the complexity of cybersecurity into business value such as revenue, cost and shareholder impact.”
These “sense-maker” CIOs and CISOs – described by Gartner as part of the cyber-elite – are those able to translate complex cyber risk landscapes into clear, actionable business language that aligns with board-level priorities.
Boards want clarity, not complexity
Today’s boards are increasingly looking for specific, contextual insights — not generalised threat trends. What they want to see is how individual cyber threats translate into real risk, exposure and organisational readiness.
By providing transparency on threat exposure levels and practical preparedness, sense-maker CIOs and CISOs are helping non-executive directors move from confusion to confidence when making decisions on cybersecurity investments.
Cyber risk among top external threats to shareholder value
Cyber threats, however, do not exist in isolation. The survey highlights that boardrooms are currently navigating a complex mix of geopolitical and technological risks:
-
70% of NEDs identified geopolitical instability and international conflict as the top external threats to shareholder value in the next 12 months.
-
One in three NEDs listed cyber risks, technology disruption and innovation challenges as key threats for the year ahead.
According to Tina Nunno, Managing VP at Gartner, these concerns are grounded in real experience.
“Virtually all NEDs have experienced a cybersecurity breach either as executive leaders or during their tenure as board members. New security regulations have placed this topic front-and-centre on board agendas. At the same time, AI is causing significant business disruption—and has gained considerable attention from boards.”
Technology: Risk and remedy
Interestingly, despite identifying technology as a potential risk factor, boards are also placing their faith in it as a stabilising force in times of uncertainty.
-
63% of NEDs believe investing in technology and innovation is the best strategy for navigating geopolitical and economic volatility.
-
57% ranked AI as the top investment expected to positively impact shareholder value over the next two years, surpassing:
-
New products and services (56%)
-
Mergers and acquisitions (45%)
-
Nunno notes that NEDs are acutely aware of the massive investments pouring into AI startups and large language models, and they expect at least some of these bets to produce long-term returns.
More notably, 71% of boards are actively encouraging their organisations to take greater technology risks. They are putting pressure on CEOs and executive leadership teams to demonstrate a clear, actionable AI strategy — and to move quickly.
From trust deficit to board confidence
The underlying message from Gartner’s survey is unambiguous: the cybersecurity trust deficit at the board level can only be resolved through improved communication, transparency and alignment with business value.
As regulation increases, AI accelerates disruption and cyber threats grow in sophistication, the role of the “sense-maker” CIO and CISO will become more critical than ever – not just as technical guardians, but as strategic translators between the cyber world and the boardroom.
